1. Field of the Invention
Embodiments of the present invention generally relate to securing a distributed computing environment and, more specifically, to a method and apparatus for accessing computers in the distributed computing environment.
2. Description of the Related Art
Computer security issues have become more complex with the continual evolution of contemporary computer systems. As corporations utilize increasingly distributed and open computing environments, the security requirements of an enterprise typically grow accordingly. The complexity of employee, customer and partner access to critical information assets, while assuring proper security, has proven to be a major hurdle. For example, many organizations deploy network applications that allow their external business partners, as well as their own internal employees, to access sensitive information resources within the enterprise. In the absence of adequate security measures, an enterprise may be subject to the risk of decreased security and confidentiality.
In today's complex business environment, specifying, stating, implementing and managing an enterprise access control policy may be both difficult and inefficient. When corporate data and applications revolved around a mainframe model, the problem of defining and managing access to corporate applications was relatively straightforward. Today, the complexity of distributed application architectures, may force companies to resort to manual, ineffective or highly custom approaches to access control in their attempts to implement security procedures.
A distributed computer system is usually secured by employing a combination of encryption, authentication, and authorization technologies. Encryption is a means of sending information between participants in a manner that prevents other parties from reading the information. Authentication is a process of verifying a party's identity. Authorization is a technique for determining what actions a participant is allowed to perform.
The security approach of most companies today is to focus on the authentication of users to ensure that those users are part of the organization or a member of a select group. Authentication can be accomplished with a number of different approaches, from simple password or challenge response mechanisms to smart cards and biometric devices such as a fingerprint reader. Once users are authenticated, however, there is still a significant problem in managing and enforcing their set of privileges, which may be unique and vary widely between users. The same authentication mechanism can be used for every user, but different authorization mechanisms must be developed for most applications. Therefore, reliable and efficient access control is a difficult problem facing enterprises today.
Authentication mechanisms often work together with some sort of access control facility that can protect information resources from unauthorized users. Examples of network security products include firewalls, digital certificates, virtual private networks, and single sign-on systems. Some of these products provide limited support for resource-level authorization. For example, a firewall can screen access requests to an application or a database, but does not provide object-level authorization within an application or database. Single Sign-On (SSO) products, for example, maintain a list of resources an authenticated user can access by managing the login process to many different applications.
A Single Sign-On application allows an end user to log into multiple applications with one set of credentials and simplifies password management for an enterprise. Single Sign-On applications allow a user to create a remote session and sign on and access resources located on a remote computer. However, there is a possibility the user will fail to sign out or logout of the remote computer upon terminating the remote session. Failure to sign out from the remote computer compromises security and increases the likelihood of unauthorized access to information stored on the remote computer.
Thus, there is a need in the art for a method and apparatus that ensures a user is signed out from each and every remote computer in a distributed computing environment to protect against unauthorized access to information stored on the computer.